Lecture 3: Verification of Weak Memory Models Part 1: State - - PowerPoint PPT Presentation

Lecture 3: Verification of Weak Memory Models

Part 1: State Reachability Problem Ahmed Bouajjani

LIAFA, University Paris Diderot – Paris 7

[Atig, B., Burckhardt, Musuvathi, POPL’10, ESOP’12] [Atig, B., Parlato, 2011] VTSA, MPI-Saarbr¨ ucken, September 2012

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 1 / 42

Sequential Consistency (SC) model

Parallel processes with shared memory Interleaving (Sequentially Consistent) semantics:

◮ Computations of different processes are shuffled ◮ Program order is preserved for each process.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 2 / 42

Total Store Ordering (TSO)

Reads can overtake writes on = variables. FIFO buffers where writes are stored to be executed later. Reads take values from the main memory if no writes in the buffer on the same variable. Otherwise they get the value of the last write in the buffer on the same variable.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 3 / 42

Write-to-Read Relaxation

P1 : write(x, 1) ; read(y, 0) P2 : read(x, 0) A scheduling for SC semantics: 3 steps P1 : write(x, 1)(2) ; read(y, 0)(3) P2 : read(x, 0)(1)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 4 / 42

Write-to-Read Relaxation

P1 : write(x, 1) ; read(y, 0) P2 : read(x, 0) A scheduling for SC semantics: 3 steps P1 : write(x, 1)(2) ; read(y, 0)(3) P2 : read(x, 0)(1) Allowing reordering of actions on different variables: 2 steps ! P1 : read(y, 0)(1) ; write(x, 1)(2) P2 : read(x, 0)(1)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 4 / 42

Relaxed Models

Read Local Write Early write (x,d) ; read (x,d) → write (x,d) (+) W → R: Write to Read write (x,d) ; read (y,d’) → read (y,d’) ; write (x,d) ⇒ TSO model (Total Store Ordering) (+) W → W: Write to Write write (x,d) ; write (y,d’) → write (y,d’) ; write (x,d) ⇒ PSO model (Partial Store Ordering) (+) R → R/W: Read to Read/Write ⇒ ∼RMO model (Relaxed Memory Ordering)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 5 / 42

Relaxation ⇒ Potential Bad Behaviors

x = y = 0

thread 1 thread 2

a: y = 1 b: r1 = x c: if(r1 == 0) { d: . . . c: if(r1 == 0) } p: x = 1 q: r2 = y s: if(r2 == 0) { t: . . . c: if(r2 == 0) }

1- Initial state

thread 1 thread 2

pc1 = a r1 = ? pc2 = p r2 = ? shared memory

x = 0 y = 0 Dekker’s mutual exclusion protocol. Fails under Write to Read relaxation.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 6 / 42

Relaxation ⇒ Potential Bad Behaviors

x = y = 0

thread 1 thread 2

a: y = 1 b: r1 = x c: if(r1 == 0) { d: . . . c: if(r1 == 0) } p: x = 1 q: r2 = y s: if(r2 == 0) { t: . . . c: if(r2 == 0) }

2- Writes are postponed

thread 1 thread 2

pc1 = b r1 = ? pc2 = q r2 = ? w(y, 1) w(x, 1) shared memory

x = 0 y = 0 Dekker’s mutual exclusion protocol. Fails under Write to Read relaxation.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 6 / 42

Relaxation ⇒ Potential Bad Behaviors

x = y = 0

thread 1 thread 2

a: y = 1 b: r1 = x c: if(r1 == 0) { d: . . . c: if(r1 == 0) } p: x = 1 q: r2 = y s: if(r2 == 0) { t: . . . c: if(r2 == 0) }

3- Reading from memory

thread 1 thread 2

pc1 = c r1 = 0 pc2 = s r2 = 0 w(y, 1) w(x, 1) shared memory

x = 0 y = 0 Dekker’s mutual exclusion protocol. Fails under Write to Read relaxation.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 6 / 42

Relaxation ⇒ Potential Bad Behaviors

x = y = 0

thread 1 thread 2

a: y = 1 b: r1 = x c: if(r1 == 0) { d: . . . c: if(r1 == 0) } p: x = 1 q: r2 = y s: if(r2 == 0) { t: . . . c: if(r2 == 0) }

4- Accessing critical sections

thread 1 thread 2

pc1 = d r1 = 0 pc2 = t r2 = 0 w(y, 1) w(x, 1) shared memory

x = 0 y = 0 Dekker’s mutual exclusion protocol. Fails under Write to Read relaxation.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 6 / 42

Memory Reordering Fences

Write-Write Fences (wfence): Prevent reordering between writes. Read-Read Fences (rfence): Prevent reordering between reads. Fences (fence): Prevent reordering between any two memory operations.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 7 / 42

Program Syntax

Finite number of shared variables {x, y, x1...} Finite data domain {d, d1, d2, ...} Finite number of finite-control processes P1, . . . , Pn with operations: Write(x, d), Wfence, Read(x, d), Rfence, AtomicRW (x, d1, d2)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 8 / 42

Safety Verification Problem

For a memory model µ, a program P, and a (control + memory) state s State Reachability Problem (Safety) s is reachable in P ?

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 9 / 42

Safety Verification Problem

For a memory model µ, a program P, and a (control + memory) state s State Reachability Problem (Safety) s is reachable in P ? Decidability / Complexity ? Each process is finite-state For the SC memory model, this problem is PSPACE-complete

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 9 / 42

Safety Verification Problem

For a memory model µ, a program P, and a (control + memory) state s State Reachability Problem (Safety) s is reachable in P ? Decidability / Complexity ? Each process is finite-state For the SC memory model, this problem is PSPACE-complete Nontrivial for weak memory models: Pathsµ(P) = Closureµ(PathsSC(P)) is nonregular

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 9 / 42

Results for TSO [Atig, B., Burckhardt, Musuvathi, 2010]

The state reachability problem is decidable for TSO.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 10 / 42

Results for TSO [Atig, B., Burckhardt, Musuvathi, 2010]

The state reachability problem is decidable for TSO. ... but highly complex: Nonprimitive recursive

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 10 / 42

Results for TSO [Atig, B., Burckhardt, Musuvathi, 2010]

The state reachability problem is decidable for TSO. ... but highly complex: Nonprimitive recursive The repeated state reachability problem is undecidable for TSO

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 10 / 42

Results for TSO [Atig, B., Burckhardt, Musuvathi, 2010]

The state reachability problem is decidable for TSO. ... but highly complex: Nonprimitive recursive The repeated state reachability problem is undecidable for TSO → Store buffers can simulate lossy channels, and vice-versa.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 10 / 42

Decidability Frontier [Atig, B., Burckhardt, Musuvathi, 2012]

The state reachability problem is undecidable for TSO + R2W

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 11 / 42

Decidability Frontier [Atig, B., Burckhardt, Musuvathi, 2012]

The state reachability problem is undecidable for TSO + R2W The state reachability problem is decidable for NSW = TSO + W2W + R2R

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 11 / 42

Getting rid of Store Buffers [Atig, B., Parlato, 2011]

When is it possible to reduce TSO verification to SC verification ?

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 12 / 42

Getting rid of Store Buffers [Atig, B., Parlato, 2011]

When is it possible to reduce TSO verification to SC verification ? Find restrictions on the explored behaviors such that: Given a concurrent program P, it is possible to build a concurrent program P′ such that: running P with TSO semantics under these restrictions is equivalent to running P′ with SC semantics.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 12 / 42

Getting rid of Store Buffers [Atig, B., Parlato, 2011]

When is it possible to reduce TSO verification to SC verification ? Find restrictions on the explored behaviors such that: Given a concurrent program P, it is possible to build a concurrent program P′ such that: running P with TSO semantics under these restrictions is equivalent to running P′ with SC semantics. A notion of Context-Bounded Analysis for TSO

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 12 / 42

Getting rid of Store Buffers [Atig, B., Parlato, 2011]

When is it possible to reduce TSO verification to SC verification ? Find restrictions on the explored behaviors such that: Given a concurrent program P, it is possible to build a concurrent program P′ such that: running P with TSO semantics under these restrictions is equivalent to running P′ with SC semantics. A notion of Context-Bounded Analysis for TSO Unbounded number of context-switches: Bounding the age of each write in the buffer in terms of context-switches.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 12 / 42

Getting rid of Store Buffers [Atig, B., Parlato, 2011]

When is it possible to reduce TSO verification to SC verification ? Find restrictions on the explored behaviors such that: Given a concurrent program P, it is possible to build a concurrent program P′ such that: running P with TSO semantics under these restrictions is equivalent to running P′ with SC semantics. A notion of Context-Bounded Analysis for TSO Unbounded number of context-switches: Bounding the age of each write in the buffer in terms of context-switches. ⇒ Transfer decidability/complexity results from SC to TSO. ⇒ Use existing tools for concurrent programs under SC.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 12 / 42

The rest of the lecture

Decidability and complexity for TSO: Simulations by/of Lossy Channel Systems

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 13 / 42

The rest of the lecture

Decidability and complexity for TSO: Simulations by/of Lossy Channel Systems Decidability and complexity beyond TSO:

◮ Speculative writes lead to undecidability ◮ Decidability: deal with reordered reads

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 13 / 42

The rest of the lecture

Decidability and complexity for TSO: Simulations by/of Lossy Channel Systems Decidability and complexity beyond TSO:

◮ Speculative writes lead to undecidability ◮ Decidability: deal with reordered reads

From TSO to SC under bounded analysis

◮ 2 notions of bounds ◮ Store buffers 2K copies of the globals per thread

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 13 / 42

An operational model for TSO

Each process has a FIFO buffer Configuration = control states + memory state + buffers contents Write(x,d) is sent to the buffer Memory update = execution of a Write taken from some buffer Read(x,d) is executed either if

◮ The last Write to x in the buffer is Write(x,d) (Read Own Write) ◮ The buffer does not contain a Write to x, and Memory(x) = d

AtomicRW (x, d1, d2) requires that the buffer is empty (∼ fence)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 14 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

1 w(y, 1) w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

1 1 w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

1 2 w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

1 2 w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Model: The store buffers are considered as perfect FIFO channels

The store buffer of Thread 1

x y

1 2 w(y, 2) w(y, 3)

Deadlock

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 15 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

1 w(y, 1) w(x, 2) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

2 w(y, 1) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

2 w(y, 1) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Thread 1: p0 p1 w(x, 1) p2 w(y, 1) p3 w(x, 2) p4 w(y, 2) p5 w(y, 3) Thread 2 : q0 q1 r(x, 2) q2 r(y, 0)

Assume that the store buffers are lossy FIFO channels

The store buffer of Thread 1

x y

2 w(y, 1) w(y, 2) w(y, 3)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 16 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

y = 0 x = 1 y = 1 x = 1 y = 1 x = 2 y = 2 x = 2 y = 3 x = 2

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

y = 0 x = 1 y = 1 x = 1 y = 1 x = 2 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

y = 0 x = 1 y = 1 x = 1 y = 1 x = 2 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

w(x, 1) w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

1 y = 1 x = 1 y = 1 x = 2 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

1 w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

1 y = 1 x = 1 y = 1 x = 2 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

1 w(y, 1) w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

1 2 y = 1 x = 1 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

1 1 w(x, 2) w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

1 2 y = 1 x = 1 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Buffer = perfect FIFO channel

x y

1 2 w(y, 2) w(y, 3)

Channel= Sequence of memory states + Lossyness

x y

1 2 y = 1 x = 1 y = 2 x = 2 y = 3 x = 2

Lossyness= Unobservable memory states

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 17 / 42

From W → R systems to Lossy Channel Systems

Process Memory

Write: Compute a new memory state; send it to the channel Read: Check the channel/memory Memory update: Receive a state; copy it to the memory

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 18 / 42

From W → R systems to Lossy Channel Systems

Problem: Interference between processes ?

Process Memory

Write: Compute a new memory state; send it to the channel Read: Check the channel/memory Memory update: Receive a state; copy it to the memory

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 18 / 42

From W → R systems to Lossy Channel Systems

Problem: Interference between processes ? ⇒ Each process guesses occurrences of writes by other processes

Process Memory

Write: Compute a new memory state; send it to the channel Read: Check the channel/memory Memory update: Receive a state; copy it to the memory Guessed Write: Send the guessed state to the channel

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 18 / 42

From W → R systems to Lossy Channel Systems

Problem: Interference between processes ? ⇒ Each process guesses occurrences of writes by other processes

Process Memory

Write: Compute a new memory state; send it to the channel Read: Check the channel/memory Memory update: Receive a state; copy it to the memory Guessed Write: Send the guessed state to the channel ⇒ Check that all process agree on the sequence of states

Synchronization of the lossy channel machines over send actions

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 18 / 42

Decidability for the State Reachability Problem

Thm The state reachability problem for TSO programs is reducible to the control-state reachability problem for LCS.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 19 / 42

Decidability for the State Reachability Problem

Thm The state reachability problem for TSO programs is reducible to the control-state reachability problem for LCS. Thm ([Abdulla, Jonsson, 1993]) The control-state reachability problem for LCS is decidable Corollary The state reachability problem for TSO systems is decidable.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 19 / 42

From Lossy Channel Systems to W → R systems

T1 T2

read read write update update write

x y

T1 simulates the lossy channel machine:

◮ Send operation: Write operation of T1 to the variable x ◮ Read operation: Read operation of T1 from the variable y

T2 transfers the successive values of the variable x to the variable y

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 20 / 42

Complexity

Thm Every LCS can be simulated by a TSO program.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 21 / 42

Complexity

Thm Every LCS can be simulated by a TSO program. Thm ([Schnoebelen, 2001]) The control-state reachability problem for LCS is non-primitive recursive ⇒ Lower bound for the state reachability problem under TSO.

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 21 / 42

TSO + R2W: Causality cycles

x = y = 0 P1 P2 (1) r(x, 1) (3) r(y, 1) (2) w(y, 1) (4) w(x, 1) x = y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 22 / 42

TSO + R2W: Causality cycles

x = y = 0 P1 P2 (1) r(x, 1) (3) r(y, 1) (2) w(y, 1) (4) w(x, 1) x = y = 1

This behavior is possible since writes can overtake reads: (2), (3), (4), (1) Speculative writes ⇒ causality cycles

◮ (2) is executed assuming that (1) will be executed in the future ◮ (1) is indeed executed, but it is based on a write that depends from (2)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 22 / 42

TSO + R2W: Undecidabiity

w(x1, uik) r(x2, uik) w(y1, ik) r(y2, ik)

Thread 1

w(x2, vil) r(x1, vil) w(y2, jl) r(y1, jl)

Thread 2

write ui1 · · · uin write i1 · · · in read u

i

1 · · · u

i

n

read i1 · · · in read vj1 · · · vjm read j

1

· · · j

m

write vj1 · · · vjm write j1 · · · jm

♯ x1 ♯ y1 ♯ x2 ♯ y2

Assume that: ui1ui2 · · · uin = vj1vj2 · · · vjm and i1i2 · · · in = j1j2 · · · jm

T1: r(y2, in) w(y1, in) r(x2, uin) w(x1, uin) · · · r(y2, i1) w(y1, i1) r(x2, ui1) w(x1, ui1) T2: r(y1, jn) w(y2, jn) r(x1, vjn) w(x2, vjn) · · · r(y1, j1) w(y2, j1) r(x1, vj1) w(x2, vj1)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 23 / 42

TSO + R2W: Undecidabiity

w(x1, uik) r(x2, uik) w(y1, ik) r(y2, ik)

Thread 1

w(x2, vil) r(x1, vil) w(y2, jl) r(y1, jl)

Thread 2

write ui1 · · · uin write i1 · · · in read u

i

1 · · · u

i

n

read i1 · · · in read vj1 · · · vjm read j

1

· · · j

m

write vj1 · · · vjm write j1 · · · jm

♯ x1 ♯ y1 ♯ x2 ♯ y2

Assume that: ui1ui2 · · · uin = vj1vj2 · · · vjm and i1i2 · · · in = j1j2 · · · jm

T1: r(y2, in) r(x2, uin) · · · r(y2, i1) r(x2, ui1) · · · w(y1, in) w(x1, uin)· · · w(y1, i1) w(x1, ui1) T2: w(y2, jn) w(x2, vjn) · · · w(y2, j1) w(x2, vj1) · · · r(y1, jn) r(x1, vjn)· · · r(y1, j1) r(x1, vj1)

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 23 / 42

TSO + R2W: Undecidabiity

w(x1, uik) r(x2, uik) w(y1, ik) r(y2, ik)

Thread 1

w(x2, vil) r(x1, vil) w(y2, jl) r(y1, jl)

Thread 2

write ui1 · · · uin write i1 · · · in read u

i

1 · · · u

i

n

read i1 · · · in read vj1 · · · vjm read j

1

· · · j

m

write vj1 · · · vjm write j1 · · · jm

♯ x1 ♯ y1 ♯ x2 ♯ y2

Assume that: ui1ui2 · · · uin = vj1vj2 · · · vjm and i1i2 · · · in = j1j2 · · · jm

T1: r(y2, in) r(x2, uin) · · · r(y2, i1) r(x2, ui1) · · · w(y1, in) w(x1, uin)· · · w(y1, i1) w(x1, ui1) T2: w(y2, jn) w(x2, vjn) · · · w(y2, j1) w(x2, vj1) · · · r(y1, jn) r(x1, vjn)· · · r(y1, j1) r(x1, vj1)

⇒ Reachability TSO + R2W

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 23 / 42

NSW: Non Speculative Writes

TSO = Read-Local-Write-Early + W2R PSO = TSO + W2W NSW = PSO + R2R

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 24 / 42

NSW: Non Speculative Writes

TSO = Read-Local-Write-Early + W2R PSO = TSO + W2W NSW = PSO + R2R Simulation of TSO under PSO: Add a write-write fence (wfence) before each write

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 24 / 42

NSW: Non Speculative Writes

TSO = Read-Local-Write-Early + W2R PSO = TSO + W2W NSW = PSO + R2R Simulation of TSO under PSO: Add a write-write fence (wfence) before each write Simulation of PSO under NSW: Add a read-read fence (rfence) before each read

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 24 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Configuration= control states + memory state + event structures

p0 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Writes on x are inserted after the last reads, wfences, and writes on x.

w(x, 1) p1 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Writes on y are inserted after the last reads, wfences, and writes on y.

w(x, 1) w(y, 1) p2 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Wfences are inserted after the last writes.

w(x, 1) w(y, 1) wf p3 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Reads on x are inserted after the last writes/reads on x.

w(x, 1) w(y, 1) wf r(x, 2) p4 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Writes on y are inserted after the last reads, wfences, and writes on y.

w(x, 1) w(y, 1) wf r(x, 2) w(y, 2) p5 q0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Fences are performed by a process only when its event structure is empty.

w(x, 1) w(y, 1) wf r(x, 2) w(y, 2) p5 q1 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Reads on y are inserted after the last writes/reads on y.

w(x, 1) w(y, 1) wf r(x, 2) w(y, 2) r(y, 1) p5 q2 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Writes on x are inserted after the last reads, wfences, and writes on x.

w(x, 1) w(y, 1) wf r(x, 2) w(y, 2) r(y, 1) w(x, 2) p5 q3 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Updates to memory are performed when those writes are minimal.

w(x, 1) wf r(x, 2) w(y, 2) r(y, 1) w(x, 2) p5 q3 x = 0 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Reads are validated w.r.t. the memory when they are minimal.

w(x, 1) wf r(x, 2) w(y, 2) w(x, 2) p5 q3 x = 0 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Rfences are performed by a process only if there is no pending reads.

w(x, 1) wf r(x, 2) w(y, 2) w(x, 2) p5 q4 x = 0 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Reads on x are validated immediately with the last write on x (if possible)

w(x, 1) wf r(x, 2) w(y, 2) w(x, 2) p5 q5 x = 0 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Updates to memory are performed when those writes are minimal.

wf r(x, 2) w(y, 2) w(x, 2) p5 q5 x = 1 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Updates to memory are performed when those writes are minimal.

wf r(x, 2) w(y, 2) p5 q5 x = 2 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Reads are validated w.r.t. the memory when they are minimal.

wf w(y, 2) p5 q5 x = 2 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Wfences are removed if they are minimal.

w(y, 2) p5 q5 x = 2 y = 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

Operational Model: Event Structures

Process 1: p0 w(x, 1) p1 w(y, 1) p2 wfence p3 r(x, 2) p4 w(y, 2) p5 Process 2: q0 fence q1 r(y, 1) q2 w(x, 2) q3 rfence q4 r(x, 2) q5

Updates to memory are performed when those writes are minimal.

p5 q5 x = 2 y = 2

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 25 / 42

From Event Structures to Buffers

Read Elimination Wfence Elimination Event Structure Semantics Event Structure Semantics (without Reads) Store Buffer Semantics

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 26 / 42

From Event Structures to Buffers

Event Structure Semantics Event Structure Semantics (without Reads) Store Buffer Semantics Read Elimination Wfence Elimination

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 26 / 42

Elimination of Reads

Configuration= control states + event structures+ memory history buffer.

w(x, 1) wf w(x, 2) w(y, 1) wf w(x, 3) w(x, 2) wf w(y, 1) p0 q0 Memory History Buffer x = 2 y = 1 P1 : y x = 2 y = 1 x = 2 y = 1 P1 : x x = 2 y = 0 P2 : x, y x = 1 y = 0 x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 27 / 42

From Event Structures to Buffers

Read Elimination Wfence Elimination Event Structure Semantics Event Structure Semantics (without Reads) Store Buffer Semantics

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 28 / 42

From Event Structures to Buffers

Event Structure Semantics Event Structure Semantics (without Reads) Store Buffer Semantics Read Elimination Wfence Elimination

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 28 / 42

Elimination of Write Fences

Configurations= Control states + Variable/Serial Buffers + History Buffer

Serial Buffers Variable Buffers w(x, 1) w(x, 2) w(y, 1) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 29 / 42

The State Reachability Problem for NSW

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 30 / 42

Decidability of State Reachability

Approach: Well Structured Systems [Abdulla et al., Finkel et al.]

Well-Quasi Ordering ≤ on Configurations

• n every sequence c0, c1, c2, . . ., ∃i < j. ci ≤ cj

Monotonicity: ≤ is a simulation relation w.r.t. transition relation of the model ⇒ Backward reachability analysis terminates

Problem: NSW ?

Sub-word ordering on buffers?

◮ NSW are Not Monotonic!

Hard to apply WSS framework to NSW ⊲ ⊲ ⊲ x=0 a x=0 b x=0 c

• ⊲ ⊲ ⊲

x=0 a x=0 c

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 31 / 42

NSW+ systems

NSW ≡ NSW+ NSW+: WSS wrt

Single Serial Buffer Variable Buffers x = 1 y = 0 P1 : x x = 1 y = 1 P2 : y w(x, 2) w(y, 0) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 32 / 42

NSW+ systems

NSW ≡ NSW+ NSW+: WSS wrt Single Serial Buffer

Single Serial Buffer Variable Buffers x = 1 y = 0 P1 : x x = 1 y = 1 P2 : y w(x, 2) w(y, 0) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 32 / 42

NSW+ systems

NSW ≡ NSW+ NSW+: WSS wrt Each message in the serial buffer contains a snapshot of memory

Single Serial Buffer Variable Buffers x = 1 y = 0 P1 : x x = 1 y = 1 P2 : y w(x, 2) w(y, 0) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 32 / 42

NSW+ systems

NSW ≡ NSW+ NSW+: WSS wrt Unbounded buffers but lossy

Single Serial Buffer Variable Buffers x = 1 y = 0 P1 : x x = 1 y = 1 P2 : y w(x, 2) w(y, 0) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 32 / 42

NSW+ systems

NSW ≡ NSW+ NSW+: WSS wrt Processes have different views

• f memory (the use of pointers)

Single Serial Buffer Variable Buffers x = 1 y = 0 P1 : x x = 1 y = 1 P2 : y w(x, 2) w(y, 0) q0 p0 Memory History Buffer P1, P2 : x, y x = 0 y = 0

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 32 / 42

State Reachability: Under approximate analysis

What is a suitable bounding notion ? Should allow a compositional reduction to SC Should avoid representing the contents of store buffers

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 33 / 42

K-round Reachability

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 34 / 42

Compositional Reasoning

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 35 / 42

Encoding Store Buffers: The View of a Process

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 36 / 42

Simulating Round 1

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 37 / 42

Simulating Round 2

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 38 / 42

Bounding Store Ages

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 39 / 42

Bounding Store Ages

Translation: Maskj and Queuej are used circularly (modulo K + 1).

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 40 / 42

Consequences

K-round reachability is decidable for boolean concurrent programs with recursive procedure calls. K-store-age reachability is decidable for boolean concurrent programs with finite-state threads (without recursion). These results hold also for programs with parametric/dynamic number of threads. (Reduction to coverability in Petri nets, using [Atig, B., Qadeer, 2009] for programs with recursion) It is possible to use existing tools for the analysis/verification/testing

• f concurrent programs under SC.
• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 41 / 42

State Reachability: Conclusion

State Reachability: Decidable for TSO and beyond. Undecidability when speculative writes are allowed. But it is a hard problem (nonprimitive recursive when decidable) ! However, it is possible to have efficient analysis techniques Reduction to SC is a promising idea, can be generalized beyond TSO Abstraction-based techniques: e.g., [Kuperstein, Vechev, Yahav, PLDI’11] Symbolic techniques: [Abdulla, Atig, Chen, Leonardson, Rezine, TACAS’12] [Linden, Wolper, SPIN’10-11] Other important models: PowerPC, ARM (hardware), C++

• A. Bouajjani (LIAFA, UP7)

Lecture 3: Weak Memory Models September 2012 42 / 42